| Titre | libtiff tiffcmp 4.7.0+ (latest master branch) Memory Leak |
|---|
| Description | ## Vulnerability Summary
During fuzzing of the TIFFCMP utility from LibTIFF, a critical memory leak vulnerability has been discovered that leads to program termination with SIGBUS (illegal instruction). The vulnerability occurs during TIFF file processing when the program fails to properly release allocated memory, causing AddressSanitizer to detect memory leaks and terminate the process.
## Technical Details
- **Vulnerability Type**: Memory Leak leading to Illegal Instruction
- **Affected Function**: Multiple functions in TIFF processing chain
- **Primary Functions**: `_TIFFmallocExt`, `_TIFFCheckRealloc`, `TIFFHashSetNew`, `InitCCITTFax3`
- **Signal**: SIGBUS (7) / Illegal Instruction
- **Affected Program**: tiffcmp
## Mechanism and Root Cause
This memory leak vulnerability is caused by improper resource management during TIFF file parsing and processing. The root issue lies in the error handling paths where allocated memory is not properly freed when TIFF header reading fails or when CCITT Fax compression initialization encounters errors.
The vulnerability occurs when:
1. The tiffcmp program attempts to process a malformed TIFF file
2. TIFF header reading fails with "Cannot read TIFF header" error
3. Various memory allocations occur during the parsing attempt:
- Main TIFF structure allocation via `_TIFFmallocExt` (1565-1581 bytes)
- Field merging operations via `_TIFFCheckRealloc` (1272 bytes)
- Hash table creation via `TIFFHashSetNew` (424 bytes × 2)
- CCITT Fax initialization via `InitCCITTFax3` (168 bytes)
4. Error handling paths fail to properly deallocate these resources
5. AddressSanitizer detects the memory leaks during program termination
6. The process terminates with SIGBUS due to the memory management violations
## AddressSanitizer Report
```
/dev/null: Cannot read TIFF header.
=================================================================
==1635445==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 1566 byte(s) in 1 object(s) allocated from:
#0 0x5627a613d7be in __interceptor_malloc (/fuzzdir/fz-tiffcmp/tiffcmp+0xd97be) (BuildId: 04ac6561bc9fdd8bf2962f31ac1c1af41d5c40bb)
#1 0x5627a61e374c in _TIFFmallocExt /libtiff/tif_open.c:197:12
#2 0x5627a61e374c in TIFFClientOpenExt /libtiff/tif_open.c:366:19
#3 0x5627a61fcf78 in TIFFFdOpenExt /libtiff/tif_unix.c:221:11
#4 0x5627a61fcf78 in TIFFOpenExt /libtiff/tif_unix.c:267:11
#5 0x5627a6178635 in main /tools/tiffcmp.c:103:12
#6 0x7fbd6b64bd8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
Indirect leak of 1272 byte(s) in 1 object(s) allocated from:
#0 0x5627a613dbe5 in __interceptor_realloc (/fuzzdir/fz-tiffcmp/tiffcmp+0xd97be) (BuildId: 04ac6561bc9fdd8bf2962f31ac1c1af41d5c40bb)
#1 0x5627a61fdbf6 in _TIFFCheckRealloc /libtiff/tif_aux.c:107:14
#2 0x5627a619f309 in _TIFFMergeFields /libtiff/tif_dirinfo.c:584:41
#3 0x5627a6223a38 in TIFFInitCCITTFax4 /libtiff/tif_fax3.c:1706:14
#4 0x5627a618be4f in _TIFFVSetField /libtiff/tif_dir.c:297:27
#5 0x5627a6184a2f in TIFFVSetField /libtiff/tif_dir.c:1208:18
#6 0x5627a6184a2f in TIFFSetField /libtiff/tif_dir.c:1152:14
#7 0x5627a61a4c50 in TIFFReadDirectory /libtiff/tif_dirread.c:4389:14
#8 0x5627a61e5183 in TIFFClientOpenExt /libtiff/tif_open.c:769:17
#9 0x5627a61fcf78 in TIFFFdOpenExt /libtiff/tif_unix.c:221:11
#10 0x5627a61fcf78 in TIFFOpenExt /libtiff/tif_unix.c:267:11
#11 0x5627a6178635 in main /tools/tiffcmp.c:103:12
#12 0x7fbd6b64bd8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
Indirect leak of 424 byte(s) in 1 object(s) allocated from:
#0 0x5627a613d9a8 in __interceptor_calloc (/fuzzdir/fz-tiffcmp/tiffcmp+0xd97be) (BuildId: 04ac6561bc9fdd8bf2962f31ac1c1af41d5c40bb)
#1 0x5627a61df9d9 in TIFFHashSetNew /libtiff/tif_hash_set.c:149:34
#2 0x5627a61aa9d1 in _TIFFCheckDirNumberAndOffset /libtiff/tif_dirread.c:5671:45
#3 0x5627a61a3ff5 in TIFFReadDirectory /libtiff/tif_dirread.c:4262:10
#4 0x5627a61e5183 in TIFFClientOpenExt /libtiff/tif_open.c:769:17
#5 0x5627a61fcf78 in TIFFFdOpenExt /libtiff/tif_unix.c:221:11
#6 0x5627a61fcf78 in TIFFOpenExt /libtiff/tif_unix.c:267:11
#7 0x5627a6178635 in main /tools/tiffcmp.c:103:12
#8 0x7fbd6b64bd8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
Indirect leak of 424 byte(s) in 1 object(s) allocated from:
#0 0x5627a613d9a8 in __interceptor_calloc (/fuzzdir/fz-tiffcmp/tiffcmp+0xd97be) (BuildId: 04ac6561bc9fdd8bf2962f31ac1c1af41d5c40bb)
#1 0x5627a61df9d9 in TIFFHashSetNew /libtiff/tif_hash_set.c:149:34
#2 0x5627a61aaa95 in _TIFFCheckDirNumberAndOffset /libtiff/tif_dirread.c:5685:45
#3 0x5627a61a3ff5 in TIFFReadDirectory /libtiff/tif_dirread.c:4262:10
#4 0x5627a61e5183 in TIFFClientOpenExt /libtiff/tif_open.c:769:17
#5 0x5627a61fcf78 in TIFFFdOpenExt /libtiff/tif_unix.c:221:11
#6 0x5627a61fcf78 in TIFFOpenExt /libtiff/tif_unix.c:267:11
#7 0x5627a6178635 in main /tools/tiffcmp.c:103:12
#8 0x7fbd6b64bd8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
Indirect leak of 272 byte(s) in 1 object(s) allocated from:
#0 0x5627a613d7be in __interceptor_malloc (/fuzzdir/fz-tiffcmp/tiffcmp+0xd97be) (BuildId: 04ac6561bc9fdd8bf2962f31ac1c1af41d5c40bb)
#1 0x5627a61a4551 in TIFFReadDirectory /libtiff/tif_dirread.c:4327:37
#2 0x5627a61e5183 in TIFFClientOpenExt /libtiff/tif_open.c:769:17
#3 0x5627a61fcf78 in TIFFFdOpenExt /libtiff/tif_unix.c:221:11
#4 0x5627a61fcf78 in TIFFOpenExt /libtiff/tif_unix.c:267:11
#5 0x5627a6178635 in main /tools/tiffcmp.c:103:12
#6 0x7fbd6b64bd8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
Indirect leak of 168 byte(s) in 1 object(s) allocated from:
#0 0x5627a613d7be in __interceptor_malloc (/fuzzdir/fz-tiffcmp/tiffcmp+0xd97be) (BuildId: 04ac6561bc9fdd8bf2962f31ac1c1af41d5c40bb)
#1 0x5627a6223442 in InitCCITTFax3 /libtiff/tif_fax3.c:1503:32
#2 0x5627a6223a1c in TIFFInitCCITTFax4 /libtiff/tif_fax3.c:1701:9
#3 0x5627a618be4f in _TIFFVSetField /libtiff/tif_dir.c:297:27
#4 0x5627a6184a2f in TIFFVSetField /libtiff/tif_dir.c:1208:18
#5 0x5627a6184a2f in TIFFSetField /libtiff/tif_dir.c:1152:14
#6 0x5627a61a4c50 in TIFFReadDirectory /libtiff/tif_dirread.c:4389:14
#7 0x5627a61e5183 in TIFFClientOpenExt /libtiff/tif_open.c:769:17
#8 0x5627a61fcf78 in TIFFFdOpenExt /libtiff/tif_unix.c:221:11
#9 0x5627a61fcf78 in TIFFOpenExt /libtiff/tif_unix.c:267:11
#10 0x5627a6178635 in main /tools/tiffcmp.c:103:12
#11 0x7fbd6b64bd8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
Indirect leak of 64 byte(s) in 1 object(s) allocated from:
#0 0x5627a613d7be in __interceptor_malloc (/fuzzdir/fz-tiffcmp/tiffcmp+0xd97be) (BuildId: 04ac6561bc9fdd8bf2962f31ac1c1af41d5c40bb)
#1 0x5627a61df8ee in TIFFHashSetNew /libtiff/tif_hash_set.c:142:39
#2 0x5627a61aaa95 in _TIFFCheckDirNumberAndOffset /libtiff/tif_dirread.c:5685:45
#3 0x5627a61a3ff5 in TIFFReadDirectory /libtiff/tif_dirread.c:4262:10
#4 0x5627a61e5183 in TIFFClientOpenExt /libtiff/tif_open.c:769:17
#5 0x5627a61fcf78 in TIFFFdOpenExt /libtiff/tif_unix.c:221:11
#6 0x5627a61fcf78 in TIFFOpenExt /libtiff/tif_unix.c:267:11
#7 0x5627a6178635 in main /tools/tiffcmp.c:103:12
#8 0x7fbd6b64bd8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
Indirect leak of 64 byte(s) in 1 object(s) allocated from:
#0 0x5627a613d7be in __interceptor_malloc (/fuzzdir/fz-tiffcmp/tiffcmp+0xd97be) (BuildId: 04ac6561bc9fdd8bf2962f31ac1c1af41d5c40bb)
#1 0x5627a61df8ee in TIFFHashSetNew /libtiff/tif_hash_set.c:142:39
#2 0x5627a61aa9d1 in _TIFFCheckDirNumberAndOffset /libtiff/tif_dirread.c:5671:45
#3 0x5627a61a3ff5 in TIFFReadDirectory /libtiff/tif_dirread.c:4262:10
#4 0x5627a61e5183 in TIFFClientOpenExt /libtiff/tif_open.c:769:17
#5 0x5627a61fcf78 in TIFFFdOpenExt /libtiff/tif_unix.c:221:11
#6 0x5627a61fcf78 in TIFFOpenExt /libtiff/tif_unix.c:267:11
#7 0x5627a6178635 in main /tools/tiffcmp.c:103:12
#8 0x7fbd6b64bd8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
Indirect leak of 48 byte(s) in 1 object(s) allocated from:
#0 0x5627a613dbe5 in __interceptor_realloc (/fuzzdir/fz-tiffcmp/tiffcmp+0xd97be) (BuildId: 04ac6561bc9fdd8bf2962f31ac1c1af41d5c40bb)
#1 0x5627a618c2ea in _TIFFVSetField /libtiff/tif_dir.c:726:52
#2 0x5627a6184a2f in TIFFVSetField /libtiff/tif_dir.c:1208:18
#3 0x5627a6184a2f in TIFFSetField /libtiff/tif_dir.c:1152:14
#4 0x5627a61b5b15 in TIFFFetchNormalTag /libtiff/tif_dirread.c:6374:21
#5 0x5627a61a5f3e in TIFFReadDirectory /libtiff/tif_dirread.c:4788:27
#6 0x5627a61e5183 in TIFFClientOpenExt /libtiff/tif_open.c:769:17
#7 0x5627a61fcf78 in TIFFFdOpenExt /libtiff/tif_unix.c:221:11
#8 0x5627a61fcf78 in TIFFOpenExt /libtiff/tif_unix.c:267:11
#9 0x5627a6178635 in main /tools/tiffcmp.c:103:12
#10 0x7fbd6b64bd8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
Indirect leak of 34 byte(s) in 2 object(s) allocated from:
#0 0x5627a613d7be in __interceptor_malloc (/fuzzdir/fz-tiffcmp/tiffcmp+0xd97be) (BuildId: 04ac6561bc9fdd8bf2962f31ac1c1af41d5c40bb)
#1 0x5627a6183252 in setByteArray /libtiff/tif_dir.c:55:28
#2 0x5627a618d2a9 in _TIFFVSetField /libtiff/tif_dir.c:788:17
#3 0x5627a6184a2f in TIFFVSetField /libtiff/tif_dir.c:1208:18
#4 0x5627a6184a2f in TIFFSetField /libtiff/tif_dir.c:1152:14
#5 0x5627a61b5b15 in TIFFFetchNormalTag /libtiff/tif_dirread.c:6374:21
#6 0x5627a61a5f3e in TIFFReadDirectory /libtiff/tif_dirread.c:4788:27
#7 0x5627a61e5183 in TIFFClientOpenExt /li |
|---|
| La source | ⚠️ https://gitlab.com/libtiff/libtiff/-/issues/728 |
|---|
| Utilisateur | HeureuxBuilding (UID 88810) |
|---|
| Soumission | 07/08/2025 21:28 (il y a 10 mois) |
|---|
| Modérer | 19/08/2025 15:24 (12 days later) |
|---|
| Statut | Accepté |
|---|
| Entrée VulDB | 320543 [LibTIFF 4.7.0 tiffcmp tools/tiffcmp.c déni de service] |
|---|
| Points | 20 |
|---|